Scan

Scan #52

Workflow file for this run

	name: Scan

	on:
	schedule:
	- cron: "0 6 * * *" # Every day at 8am
	# Allow to run this workflow manually
	workflow_dispatch:
	workflow_call:

	jobs:
	vulnerability-scan:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: read
	security-events: write
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Validate github workflow files to have pinned versions
	uses: digitalservicebund/github-actions-linter@09783a3d4e13424bc0caf1f7145f68bc6138688b # v0.1.11

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
	env:
	TRIVY_USERNAME: ${{ github.actor }}
	TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
	# Specify multiple registries: try default GitHub registry, if too many requests, use the aws mirror.
	TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
	with:
	scanners: "vuln"
	scan-type: "fs"
	format: "sarif"
	# By default SARIF format enforces output of all vulnerabilities regardless of configured severities.
	# To override this set limit-severities-for-sarif to true.
	limit-severities-for-sarif: true
	output: "trivy-results.sarif"
	severity: "CRITICAL,HIGH"
	exit-code: "1" # Fail the build!

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
	if: always() # Bypass non-zero exit code..
	with:
	sarif_file: "trivy-results.sarif"

	- name: Send status to Slack
	uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
	if: ${{ failure() }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Scan #52

Workflow file

Scan #52

Jobs

Run details

Workflow file for this run